Dependency Tracking with SBOMs

Overview

Dependency tracking is critical for maintaining software security and compliance. By analyzing Software Bill of Materials (SBOMs) from your own applications and vendor software, you gain complete visibility into all components and their dependencies. This enables proactive vulnerability monitoring and automated policy enforcement across your organization.

Why Dependency Tracking Matters

Modern software relies on numerous components—both internal and external. Without proper tracking:

• Vulnerabilities go undetected when new security issues are discovered
• Compliance requirements slip through the cracks across distributed teams
• Regulatory pressures mount (NIS2, CRA, DORA, etc.) without systematic oversight

Getting Started with SBOM Observer

1. Collect SBOMs from All Sources

Generate and collect SBOMs from:

• Your applications - Use the Observer CLI to generate SBOMs, or integrate it during your CI/CD pipeline
• Vendor software - Request SBOMs from third-party vendors and upload them to SBOM Observer
• Dependencies - Include both direct and transitive dependencies

# Generate a CycloneDX SBOM for your application
observer fs -o sbom.json .

2. Gain Complete Visibility

SBOM Observer automatically indexes all components and shows you:

• Component inventory - All libraries, packages, and tools with their versions
• Vulnerability status - Real-time updates on known CVEs affecting your components
• Dependency relationships - How components relate to and depend on each other
• Policy violations - Immediate alerts when components violate your security policies

3. Define and Enforce Policies

Create policies that enforce your compliance requirements:

Policy Example: Critical Risk Guardrails
- Block components with CVSS ≥ 9 that also have EPSS ≥ 0.5 (high likelihood of exploitation)
- Require metadata.supplier.name and metadata.supplier.url on every SBOM
- Alert when components are missing vendor support (scope set to runtime)

Set policies for regulatory requirements like:

• NIS2 - Network and Information Systems Security
• CRA - Cyber Resilience Act
• DORA - Digital Operational Resilience Act
• Internal security standards - Your organization's requirements

4. Monitor and Alert

SBOM Observer continuously monitors your dependencies:

• New vulnerabilities trigger immediate alerts
• Policy violations are highlighted in your dashboard
• Historical tracking shows how your dependency risk changes over time

Integration with CI/CD

Integrate SBOM Observer into your build pipeline with the Observer CLI quickstart and the full CLI reference. At a high level you will:

• Generate SBOMs automatically during each build (observer fs …)
• Upload and analyze them to enforce policies (observer upload, observer analyze --fail)
• Track change history by storing SBOMs with every release

Double-check the linked guides for platform-specific examples (GitHub Actions, GitLab CI, Azure DevOps, etc.) and the latest flag syntax.

Best Practices

✅ Do:

• Generate SBOMs for every release
• Request SBOMs from all software vendors
• Update policies regularly as threats evolve
• Monitor vulnerability alerts daily
• Track metrics over time

❌ Don't:

• Ignore policy violations
• Delay patching known vulnerabilities
• Skip tracking vendor software
• Set policies too strict (they'll be ignored)
• Forget to update compliance requirements

Next Steps

1. Set up the Observer CLI in your build pipeline
2. Create upload SBOMs from your applications
3. Write your first policy to enforce compliance
4. Analyze impact of vulnerabilities on your software